Scaling API-first – The story of a global engineering organization
Client Side Honeypots
1. Client-Side Honeypots
Bing Yuan
Department of Computer Science
RWTH Aachen
April 26, 2007
2. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works
3. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works
4. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works
5. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works
6. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works
7. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Problems
client-side exploit means exploiting client-side software’s
vulnerabilities
computers can be infected by simply browsing web pages or
opening emails
about 90% of PCs connected to the internet are infected with
spyware in 2006 (www.webroot.com)
Bing Yuan Client-Side Honeypots
8. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Problems
client-side exploit means exploiting client-side software’s
vulnerabilities
computers can be infected by simply browsing web pages or
opening emails
about 90% of PCs connected to the internet are infected with
spyware in 2006 (www.webroot.com)
Bing Yuan Client-Side Honeypots
9. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Problems
client-side exploit means exploiting client-side software’s
vulnerabilities
computers can be infected by simply browsing web pages or
opening emails
about 90% of PCs connected to the internet are infected with
spyware in 2006 (www.webroot.com)
Bing Yuan Client-Side Honeypots
10. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Analysis
client-side softwares are wide-spread:
web browsers, email clients, ...
client-side softwares have many vulnerabilities:
Microsoft Security Bulletin Search: IE, OE, ...
Mozilla Foundation Security Advisory: Firefox, Thunderbird, ...
Bing Yuan Client-Side Honeypots
11. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Analysis
client-side softwares are wide-spread:
web browsers, email clients, ...
client-side softwares have many vulnerabilities:
Microsoft Security Bulletin Search: IE, OE, ...
Mozilla Foundation Security Advisory: Firefox, Thunderbird, ...
Bing Yuan Client-Side Honeypots
12. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Analysis
client-side softwares are wide-spread:
web browsers, email clients, ...
client-side softwares have many vulnerabilities:
Microsoft Security Bulletin Search: IE, OE, ...
Mozilla Foundation Security Advisory: Firefox, Thunderbird, ...
Bing Yuan Client-Side Honeypots
13. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Analysis
client-side softwares are wide-spread:
web browsers, email clients, ...
client-side softwares have many vulnerabilities:
Microsoft Security Bulletin Search: IE, OE, ...
Mozilla Foundation Security Advisory: Firefox, Thunderbird, ...
Bing Yuan Client-Side Honeypots
14. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
anti-malware softwares are all reactive
traditional honeypots focus on server-side attacks
we need proactively to handle the client-side attacks
Bing Yuan Client-Side Honeypots
15. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
anti-malware softwares are all reactive
traditional honeypots focus on server-side attacks
we need proactively to handle the client-side attacks
Bing Yuan Client-Side Honeypots
16. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
anti-malware softwares are all reactive
traditional honeypots focus on server-side attacks
we need proactively to handle the client-side attacks
Bing Yuan Client-Side Honeypots
17. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Definition
The client-side honeypot is one trap computer which simulates or
drives the client-side softwares to actively and automatically search
for attacks, record system activities and judge which system
activities are malicious for better knowing about client-side attack
patterns.
Bing Yuan Client-Side Honeypots
18. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots
19. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots
20. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots
21. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots
22. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots
23. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots
24. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots
25. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots
26. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots
27. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots
28. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots
29. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots
30. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots
31. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots
32. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots
33. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots
34. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots
35. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots
36. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots
37. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots
38. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots
39. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots
40. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots
41. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Overview
the goal: implement one system which can determine if
clicking on one weblink will cause system’s activities, if yes,
judge if these activities are normal or malicious, when
malicious, further research the URLs which cause the
malicious activities to gain knowledge about client-side attack
patterns
the CHP system is one high-interaction client-side honeypot
and contains CI(Crawl and Identify) developed by me using
C++ and CWSandbox developed by Carsten Willems using
Delphi, it runs on Windows XP/2000
Bing Yuan Client-Side Honeypots
42. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Overview
the goal: implement one system which can determine if
clicking on one weblink will cause system’s activities, if yes,
judge if these activities are normal or malicious, when
malicious, further research the URLs which cause the
malicious activities to gain knowledge about client-side attack
patterns
the CHP system is one high-interaction client-side honeypot
and contains CI(Crawl and Identify) developed by me using
C++ and CWSandbox developed by Carsten Willems using
Delphi, it runs on Windows XP/2000
Bing Yuan Client-Side Honeypots
43. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots
44. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots
45. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots
46. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots
47. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots
48. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Schema
Bing Yuan Client-Side Honeypots
49. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The GUI of CI
Bing Yuan Client-Side Honeypots
50. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots
51. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots
52. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots
53. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots
54. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots
55. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the first
layer, then go to the second layer by clicking on the weblinks
at the first layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots
56. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the first
layer, then go to the second layer by clicking on the weblinks
at the first layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots
57. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the first
layer, then go to the second layer by clicking on the weblinks
at the first layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots
58. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Layers
Breadth = 3, Depth = 2
Bing Yuan Client-Side Honeypots
59. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Computing
The numbers of the URLs to visit =
breadth0 + breadth1 + breadth2 + ... + breadthdepth
The time we need for one crawling (in secondes) =
((The numbers of the URLs to visit) − 1) × length
Bing Yuan Client-Side Honeypots
60. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The identify part
after crawling and hooking, namely real-time monitoring, we
get ”analysis.xml” which contains all important activities
caused by visiting URLs
activity = action + filepath + filename
parse this XML file and identify malicious activities using filter
patterns
Bing Yuan Client-Side Honeypots
61. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The identify part
after crawling and hooking, namely real-time monitoring, we
get ”analysis.xml” which contains all important activities
caused by visiting URLs
activity = action + filepath + filename
parse this XML file and identify malicious activities using filter
patterns
Bing Yuan Client-Side Honeypots
62. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The identify part
after crawling and hooking, namely real-time monitoring, we
get ”analysis.xml” which contains all important activities
caused by visiting URLs
activity = action + filepath + filename
parse this XML file and identify malicious activities using filter
patterns
Bing Yuan Client-Side Honeypots
63. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Filter patterns (1)
Activity Filter Patterns
File’s activity not contains ”Temporary Internet Files”
Registry’s activity contains ”Browser Helper Objects”
contains ”CurrentVersionRun”
contains ”CurrentVersionRunOnce”
contains ”CurrentVersionRunServices”
contains ”CurrentVersionRunServicesOnce”
contains ”Internet ExplorerToolbar”
contains ”Search Assistent”
contains ”Search Bar”
contains ”Search Page”
contains ”Start Page”
Bing Yuan Client-Side Honeypots
64. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Filter patterns (2)
Activity Filter Patterns
contains ”Startup Folder”
contains ”Hosts”
contains ”CurrentVersionWinLogon”
contains ”CurrentControlSetServices”
contains ”CurrentControlSetControl”
contains ”ShellOpenCommand”
contains ”ShellExecuteHooks”
Process create or terminate activities
Ini-file’s activity contains ”win.ini” and ”run” and ”load”
contains ”system.ini” and ”load” and ”shell”
Winsock every crawled URL
Bing Yuan Client-Side Honeypots
65. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
finally it will generate one summarized report
Bing Yuan Client-Side Honeypots
66. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
finally it will generate one summarized report
Bing Yuan Client-Side Honeypots
67. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
finally it will generate one summarized report
Bing Yuan Client-Side Honeypots
68. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots
69. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots
70. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots
71. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots
72. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots
73. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots
74. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots
75. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots
76. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots
77. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use different scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots
78. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use different scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots
79. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use different scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots
80. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use different scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots
81. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand filter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots
82. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand filter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots
83. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand filter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots
84. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand filter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots
85. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
configuration and implementation, the integrity control
approach may also work very efficiently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots
86. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
configuration and implementation, the integrity control
approach may also work very efficiently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots
87. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
configuration and implementation, the integrity control
approach may also work very efficiently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots
88. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
configuration and implementation, the integrity control
approach may also work very efficiently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots